Like all major infrastructure, the nation’s power grid is subject to an array of threats, from naturally caused phenomena such as extreme weather to vandalism, terrorism and insider risks that jeopardize reliability, safety and data security. The stakes are high; our response to an event affects our customers, our reputation and the reliability of the power grid.
AEP evaluates cyber and physical security risks using our risk management process, providing a more comprehensive approach to understanding and managing these risks in relation to other enterprise risks. It also enables decision-making based on the level of acceptable risk, as well as our priorities and resources.
The harsh reality of the digital world is that our infrastructure is under constant threat from cyber and physical attacks. Third-party products and services create new and growing risk to the power grid, prompting new regulations to protect it. As the threats become more sophisticated and far-reaching, it is a constant challenge to achieve the right level of risk management. AEP’s comprehensive security strategy – known as “Defense in Depth” – assumes a broader range of possibilities, such as physical theft, unauthorized access to data, and incidental threats that do not specifically target protected systems or assets.
- Cyber & Physical Security
Businesses need to grow and innovate, which includes adopting new technologies, developing new and improved products and services for customers, and finding new revenue streams, channels and ways of creating value. Often, this involves digitalization and automation, opening the door to new threats and security risks to the electric power grid.
In addition, new mobile apps and services that we develop or purchase for customer use, along with our own increasing reliance on cloud-based programs, increases external connectivity to our network. This creates new entry points for potential attackers and poses new challenges for grid security. Our security access program monitors and manages these connections while providing controlled access that allows us to get our work done. We consider and test possible ways attackers could breach our systems. It is not a matter of whether it will occur but when. Our strategy includes preparation for recovery if a breach occurs, through policies, procedures and technology, as well as through educating our workforce about the growing threat.
AEP learns from and takes actions based on real-world events. Our Defense in Depth approach to cyber and physical security allows us to deal with threats in real time. These strategies include proactive threat intelligence, monitoring, alerting and emergency response; employee education; forensic analysis; disaster recovery; and criminal activity reporting. Through rapid notification and response when attacks and disasters are underway, we can reduce the impacts of cyberattacks and avoid or mitigate the damage before experiencing the full impact of the threat.
Every two years, we test our operational response to potential power grid vulnerabilities or emergencies through GridEx exercises developed by the North American Electric Reliability Corporation (NERC). These exercises allow AEP to practice and prepare our response to potential emergency scenarios in a controlled environment. This ensures we have the proper policies and procedures in place should an event occur. Through this controlled exercise, we can see how our policies and procedures are helping us respond to various events ranging from cyber and physical attacks to loss of our situational awareness tools.
In 2019, GridEx V tested operational response to multiple crises, including power outages, cyber-attacks on grid control systems, and physical attacks on infrastructure. AEP was one of more than 425 organizations from across the electric power industry and federal and state government agencies that participated in the drill.
In 2019, AEP employed a new scanning technology to check for vulnerability across a wider range of assets. This new tool allows us to scan both our Information Technology and Operational Technology, giving us greater insight into new areas of the network that may be vulnerable to a cyberattack. This reduces risks that could potentially jeopardize the security and reliability of data, the grid and our operating and control systems. It also improves our capability for monitoring, mitigating and alerting new risks of vendor-supplied equipment, operating systems and software connected to the internet.
Cloud computing has created new opportunities for AEP, and as we expand and rely upon these capabilities, we must mitigate the corresponding cybersecurity risks. We have aligned closely with AEP’s Information Technology Cloud Center of Excellence to establish a proactive approach to address security risks associated with the cloud. Our Cloud Security Focus group leads our efforts to establish a strategy for various forms of cloud computing consistent with the Cloud Security Alliance (CSA) framework to develop a security roadmap.
AEP continues to be a leader in cyber security through participating in – and leading – industry and regulator-hosted discussions. Our collaboration with the National Governors Association (NGA) allows us to improve our coordination with government in responding to natural disasters and to physical and cyber risks or attacks. We are participating in workshops for states and the National Guard due to their pivotal role in disaster response. We also partner with private sector companies and government agencies to secure the grid.
Drones have great potential to improve efficiency and safety but can also pose physical and cyber risk. AEP’s Drone Governance Team develops consistent processes and policies for drone usage. We are currently in the process of acquiring a new drone management software program to assist in tracking our inventory, training, maintenance and pilot data. We now require all newly purchased drones to be approved by the Chief Security Officer after review by the Cyber Security Team.
- Cyber Security Governance
The cyber and physical security of the bulk electric system (BES) is highly regulated by the federal government through the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards. We are routinely audited for compliance with federal standards in both cyber and physical security. In addition, the Board of Directors and the Audit Committee review our cyber and physical security efforts.
AEP’s NERC compliance governance structure was developed specifically to respond to the current compliance environment and provides the direction, agility and organizational support needed to implement an industry-leading NERC compliance program.
Learn more in the NERC Compliance section.
To ensure our security controls are comprehensive, effective and in compliance with regulatory requirements, we have established a robust, collaborative security policy management program that aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Our resulting policies and standards are jointly developed with AEP’s business areas, through the Enterprise Security Advisory Council, to maximize adoption and implementation of standard controls, thereby reducing security risk to AEP.
We classify all BES facilities based on their criticality to determine the level of physical security needed. This approach allows us to design security controls for new infrastructure from the start, building the costs into capital projects as needed. It also allows us to be more proactive with new and existing infrastructure while balancing risks with mitigation solutions.
- Security Awareness & Training
Our most important partners in protecting AEP’s cyber and physical security are our employees. AEP’s Security Awareness program reduces risk by promoting security best practices and providing awareness education to our employees and contractors. The success of our program depends on constant communication and reinforcement. Our mission is to protect AEP’s assets and information, enable the business to work securely and efficiently, and educate employees and contractors about their responsibility to keep AEP secure.
AEP’s Security Training Efforts
- Training covers a wide variety of topics such as policies and standards, domestic violence, workplace aggression, personally identifiable information (PII), password protection and active shooter situations.
- All AEP employees and contractors are required to complete annual Security Awareness Training, which covers issues such as tailgating, access management, phishing and other areas that affect day-to-day security.
- New employees receive training to educate them on their role in protecting the grid as well as information about AEP’s security standards and tips to stay safe online.
- We provide NERC CIP Cyber Security Training for employees and supervisors with NERC CIP access. We also provide training on AEP’s NERC CIP Information Protection Program.
Learn more about our employee training for workforce safety and security.
Threats to the grid can also come from within. In response, AEP established an Insider Protection and Prevention Program (IP3). To ensure best practices, we use insights and recommendations from security experts to develop a risk-based approach that continually identifies, assesses and ultimately protects AEP’s critical assets from insider threats. All employees, contractors and other business partners that have access to any critical assets including personnel, facilities, information, equipment, networks and systems, are included. A cross-functional executive team composed of Physical Security, Cyber Security, Human Resources, Business Ethics and Compliance, Legal, and Information Technology oversees the program.
One of our greatest threats comes from phishing attacks on our system. Phishing is a form of attack in which malicious emails seek to obtain sensitive information such as user names, passwords, credit card details and other corporate data. Cyber criminals know that humans are the weakest link when it comes to protecting corporate data, and are continuously creating more sophisticated phishing emails to exploit this weakness. In early 2020, AEP adopted a new Phishing Accountability policy to educate employees on how to better identify risky emails and to hold employees accountable for doing so. We test our employees’ ability to detect malicious emails with periodic phishing simulations. Employees who fail a phishing simulation, receive further education and training. Continued failure to identify risky emails could also result in disciplinary action.
- Supply Chain Security
Third-party risk is a major challenge to power utilities as malicious actors have targeted equipment, software and service vendors with an increasing number of attacks. Our Third-Party Risk Governance Committee consists of our Chief Security Officer, Chief Procurement Officer, Chief Risk Officer, Chief Information Officer and Legal. This committee reviews performance of our third-party risk program, provides guidance and approves changes to the program and assessment processes. All primary contracts must abide by our security requirements.
Following approval from the Federal Energy Regulatory Commission (FERC), NERC has expanded the CIP Reliability Standards to require utilities to develop a plan for managing cyber-related risks within their supply chain. The effective data of the new standards was delayed to October 2020 due to the pandemic. The new standards require utilities to rank vendors based on risk and verify the authenticity of software manufacturers and the integrity of that software.
AEP has joined Fortress Information Security in launching the Asset-to-Vendor Network (A2V) for Power Utilities, a joint venture to promote collaboration among electric companies and reduce the costs associated with cybersecurity regulatory compliance. This network collaborates to evaluate and clear vendors for utility work, augmenting AEP’s existing evaluation process.